MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bc6029deaedcc6a494cb627eb70712138fd984d2fa0dda185b4bd36444d7013e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bc6029deaedcc6a494cb627eb70712138fd984d2fa0dda185b4bd36444d7013e
SHA3-384 hash: 3520b5490f4fc3e5b3d9f5cf236f95fab68694d7356c7decd3eb0e579c01104542b8471d1106a09d7f3b5ad27860699e
SHA1 hash: 7e8ca44d18f882526dccbab5582b018d27ad3572
MD5 hash: eccb3b5541a41dfb4ee388ee4de68e5c
humanhash: eight-west-double-asparagus
File name:Rage_Crack_Download.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:82'067'539 bytes
First seen:2025-11-22 02:21:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 35686f86a183dc6a9ec694033bf670c2 (4 x MaskGramStealer, 3 x CoinMiner)
ssdeep 393216:5EI64mShA4qF0mHlhDCDv7aClkNRI147WBK0QSI8w5SvDazn1d5VRx+Abr7nB9Ga:5QgbLfQlRXHnysf+tgPdBse6Ny
TLSH T16B087C46A7EA04D5F9F79A349AE65213C673BC463F3085CF3208172A1F736E0997A721
TrID 63.5% (.EXE) Win64 Executable (generic) (10522/11/4)
12.2% (.EXE) OS/2 Executable (generic) (2029/13)
12.0% (.EXE) Generic Win/DOS Executable (2002/3)
12.0% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter aachum
Tags:cherrystonesoftware-com CoinMiner digital-marketing-pro-365-com exe NodeLoader


Avatar
iamaachum
https://cherrystonesoftware.com/download.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
197
Origin country :
ES ES
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
Rage_Crack_Download.exe
Verdict:
Suspicious activity
Analysis date:
2025-11-22 02:22:42 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0adcf4f6-20bf-452d-9e0e-9444ea8624ba

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69211e828cf6736ec0b04ffa
Tags:
n/a
Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a custom TCP request
Creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context anti-debug anti-vm crypto expand fingerprint installer-heuristic lolbin microsoft_visual_cc nexe overlay overlay packed
Link:
https://www.filescan.io/uploads/69211e6ef96b58f0dc7fb944/reports/57ff3f46-0f7d-431c-929d-9360df8ca319/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/bc6029deaedcc6a494cb627eb70712138fd984d2fa0dda185b4bd36444d7013e
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-11-22T02:57:00Z UTC
Last seen:
2025-11-22T03:28:00Z UTC
Hits:
~100
Detections:
Trojan.Win64.Agentb.lfdg
Link:
https://opentip.kaspersky.com/bc6029deaedcc6a494cb627eb70712138fd984d2fa0dda185b4bd36444d7013e/results?tab=lookup
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
evad.spyw.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1818960
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
Disable Windows Defender notifications (registry)
Found direct / indirect Syscall (likely to bypass EDR)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Modifies windows update settings
Multi AV Scanner detection for dropped file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Stop EventLog
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Unusual module load detection (module proxying)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses WMIC command to query system information (often done to detect virtual machines)
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1818960 Sample: Rage_Crack_Download.exe Startdate: 22/11/2025 Architecture: WINDOWS Score: 100 90 wee-wee-gachi-master.com 2->90 92 ip-api.com 2->92 94 digital-marketing-pro-365.com 2->94 102 Malicious sample detected (through community Yara rule) 2->102 104 Antivirus detection for URL or domain 2->104 106 Multi AV Scanner detection for dropped file 2->106 108 7 other signatures 2->108 10 Rage_Crack_Download.exe 48 2->10         started        15 spooIsv.exe 2->15         started        17 svchost.exe 2 1 2->17         started        19 svchost.exe 6 6 2->19         started        signatures3 process4 dnsIp5 96 ip-api.com 208.95.112.1, 49892, 80 TUT-ASUS United States 10->96 98 digital-marketing-pro-365.com 172.64.80.1, 443, 49893 CLOUDFLARENETUS United States 10->98 100 wee-wee-gachi-master.com 172.67.222.183, 443, 49894, 49895 CLOUDFLARENETUS United States 10->100 82 C:\Users\user\AppData\Local\...\modules.node, PE32+ 10->82 dropped 84 C:\Users\user\...\hYt1lVzb6lCaFBaH.exe, PE32 10->84 dropped 86 C:\Users\user\...\Xc7W1yfwZpqRWAzU.exe, PE32+ 10->86 dropped 88 C:\Users\user\...\X2dZWYqRw24XIpxW.exe, PE32+ 10->88 dropped 134 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 10->134 136 Tries to steal Mail credentials (via file / registry access) 10->136 138 Tries to harvest and steal browser information (history, passwords, etc) 10->138 140 Uses WMIC command to query system information (often done to detect virtual machines) 10->140 21 Xc7W1yfwZpqRWAzU.exe 10->21         started        25 X2dZWYqRw24XIpxW.exe 3 10->25         started        27 cmd.exe 1 10->27         started        35 8 other processes 10->35 142 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 15->142 144 Unusual module load detection (module proxying) 15->144 146 Found direct / indirect Syscall (likely to bypass EDR) 15->146 29 cmd.exe 15->29         started        31 WerFault.exe 2 19->31         started        33 WerFault.exe 2 19->33         started        file6 signatures7 process8 file9 76 C:\ProgramData\Microsoft\...\WmiPrvSE.exe, PE32+ 21->76 dropped 116 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 21->116 118 Modifies windows update settings 21->118 120 Adds a directory exclusion to Windows Defender 21->120 122 Disable Windows Defender notifications (registry) 21->122 37 powershell.exe 21->37         started        40 cmd.exe 21->40         started        50 16 other processes 21->50 78 C:\Users\user\AppData\Roaming\...\spooIsv.exe, PE32+ 25->78 dropped 124 Unusual module load detection (module proxying) 25->124 126 Found direct / indirect Syscall (likely to bypass EDR) 25->126 42 cmd.exe 1 25->42         started        44 cmd.exe 25->44         started        128 Uses WMIC command to query system information (often done to detect virtual machines) 27->128 46 WMIC.exe 1 27->46         started        48 conhost.exe 27->48         started        52 2 other processes 29->52 80 C:\Users\user\AppData\...\LedgerLive.exe, PE32 35->80 dropped 130 Multi AV Scanner detection for dropped file 35->130 132 Uses schtasks.exe or at.exe to add and modify task schedules 35->132 54 10 other processes 35->54 signatures10 process11 signatures12 110 Loading BitLocker PowerShell Module 37->110 56 conhost.exe 37->56         started        58 net.exe 40->58         started        60 conhost.exe 40->60         started        62 conhost.exe 42->62         started        70 2 other processes 42->70 64 conhost.exe 44->64         started        66 timeout.exe 44->66         started        112 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 46->112 114 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 46->114 72 19 other processes 50->72 68 Conhost.exe 54->68         started        process13 process14 74 net1.exe 58->74         started       
Score:
69%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/bc6029deaedcc6a494cb627eb70712138fd984d2fa0dda185b4bd36444d7013e
Gathering data
Verdict:
Susipicious
Link:
https://tip.neiki.dev/file/bc6029deaedcc6a494cb627eb70712138fd984d2fa0dda185b4bd36444d7013e
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-11-22 02:22:50 UTC
File Type:
PE+ (Exe)
Extracted files:
20
AV detection:
9 of 24 (37.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xrqctxvo3tdkjfglmj7lobyscoh5tbgs7ig5ugc3jpjwirgxae7a._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/251122-ctwzhavkgq/
Behaviour
Checks processor information in registry
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/9c04344e-86d2-4399-b42d-380596efc340
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe bc6029deaedcc6a494cb627eb70712138fd984d2fa0dda185b4bd36444d7013e

(this sample)

  
Delivery method
Distributed via web download

Comments